Rob Gorrell (UNCG)
Jeremy Livingston (Stevens)
Mike DIckson (UMass Amherst)
Amel Caldwell (University of Washington)
John Buysse (Notre Dame)
Brett Bieber (University of Nebraska)
Nicole Roy, Albert Wu, Ann West, Mike Zawacki, Margaret Cullen, Romy Bolton,
- Intellectual Property Reminder - All Internet2 activities are governed by the Internet2 Intellectual Property Framework
- Public Content Notice - eAC minutes are public documents. Please let the eAC and note taker know if you plan to discuss something of a sensitive nature.
- Agenda bash
- Approval of last meeting’s minutes
- Rob Gorrell, Jeremy Livingston approve
- SO Update (Jeff, Brett, Mike)
- Network Nebraska: Funding was made available for broadband and connectivity, eduroam participation was tied to that. 130 request, $866k distributed. Huge jump in adoption, from about 30% to over 60% of districts. Currently have funded eduroam fees for all Network Nebraska members - includes K12s, higher ed, tribal colleges, others. Jeff Egly and I submitted talk at COSN, they were accepted and will be merged into a K12 updates. Callix (network gear provider) and Allo (local ISP) have created platform to provide eduroam SSID to residential, public deployments. UETN has rural ISPs that also use Callix network gear, will be looking at working with those providers
- The Sun Corridor Network:
- (Mike to add)
- Shifting some focus towards SPs and other partners, and private schools/academies. Also working on eduroam2Go deployment package that can be deployed to interested businesses so they’re an eduroam SP. Presented at CENIC’s member meeting.
- Brett: Interesting use case for CENIC - larger state, figuring out how to manage them coming aboard
- Link Oregon: (Mike to add)
- CEN: (Mike to add)
- Review of work priorities (Jeff, Brett)
- Lots to cover in today’s agenda - will circle back on this if the committee identifies additional items
eduroam.org/CAT SP not accepting R&S v1 attributes (Brett/Albert/Mike)
- Several US eduroam subscribers have reported issues with resources that sit behind GEANT’s SP, more are likely impacted
- R&S Schema https://refeds.org/category/research-and-scholarship
- R&S FAQ: https://spaces.at.internet2.edu/display/federation/Research+and+Scholarship+FAQ
- Brett: Point of R&S schema is to make it easier to federate web based resources. The SP that the CAT, other resources maintained by GEANT sit behind aren’t consuming full attribute set. Currently impacting members of the US eduroam community. Couple of ways to move forward - communication and promotion/informing. Very important as we begin to promote CAT in the US. Albert, additional color and detail?
- Albert: My understanding of the situation: CAT is relied on by users to configure eduraom, CAT admins rely on GEANT’s SP to use this tool. Right now GEANT is asking for attributes outside of v1 R&S. The asks make technical sense but aren't common practice in identity federations, esp. InCommon. On one hand, need to understand the need for CAT to receive these additional attributes. On the other hand if we’re going to ask IdPs for new/different attributes we’d need to work with the InCommon to meet those requirements. We’re at the very beginning of that journey - it’s a matter of years, not weeks. It’s good that eduroam is asking for these, as it will drive need for better attributes and operating principles
- Nicole: Communication with the community is needed. Documentation on how to move to new attributes, justification etc, European community tends to move faster, US community is more deliberate, longer long tail. As it sits, GEANT’s SP is violating R&S operating principles, so that needs to be communicated up to them as well.
- Mike D: How is this happening, what’s the process that GEANT used to
- Nicole: In the US compliance with R&S is a check box, there’s no technical audit
- Mike D: So US schools are just failing to authenticate?
- Nicole: Yes - we started getting requests from schools that were having trouble logging into CAT after being to access the service previously. When working with GEANT they were told there was an additional attribute that they needed to provide (which is not included in the R&S schema)
- Mike Z: Worth
- Brett: Are we in communication with GEANT? Do we need to communicate with our community?
- Mike Z: Have only recently reached out to GEANT. Needed to get clear internally
- Nicole; We also wanted to get guidance from this committee
- Rob: We’re an R&S school and a Google school, and have noticed that we can’t access CAT via InCommon but can via Google
- Nicole: Rob, are you using Cirrus Identity's Google IdP proxy for your Google users?If so, they are probably acting based on the additional “RequestedAttribute"(s) in metadata, which is why it's working.
- Rob:no, our Google Workspace is federated directly with our SSO provider (which is Azure)
- Nicole: What is proxying Azure into InCommon for you?
- Rob: our Shibboleth IDP is actually SAML proxying to the same identity store that Google is directly peered with, Azure
- ALbert: The request has good technical justification - the issue is that one of the R&S attributes is edupersonTaregetedID. But some implementations of that attribute don’t work with GEANT’s SP. Long term would be to drive compliance, short term would be to work with GEANT to come up with a fix to bring them back in compliance with v1 standards.
- Brett; Like this approach. Another piece that would be nice would be determining aa more ideal attribute release practice that would work better long term. Need to have a communication plan to identify and reach out to impacted schools with recommendations to fix this. One thing to consider is whether fixing this will break other things.
- Albert: I shouldn’t. From an InCommon federation side we like the requirements CAT is asking for but think their approach is too aggressive. Would like to work with GEANT to come up with a common solution. Could change R&SS spec (not ideal). Or could leverage the weight of the eduroam community to get themt o meet us in the middle
- Rob: CAT is a valuable tool tot he community and to tools we’re looking at building to ser our community.
- Albert: Agree - delicate balance to strike here. If CAT wants to support a wide user base it needs to accept legacy attributes AND communicate a clear transition timeline. Just requiring new attributes or dramatic changes doesn’t work
- Brett: Agree. Also likes Rob’s point about the need to drive more adoption of CAT. Albert, could we narrow down the questions that we’d want to provide tothe international community? Could you assist the eAC in the outreach? Can we provide specifics
- Albert: There are multiple stakeholders and parties involved. We need to talk to the CAT team and ensure they can make changes to fully support the R&S schema. I understand their concerns around the edupersonTargetedID but they need to communicate a timeline for changes/. If we need to work through the US IAM community we could cite CAT as they killer app to drive compliance from our end.
- Nicole; Would be good to get guidance and develop documentation with international community to maake this change sanely
- Albert: US IdP community is one party to drive change. The eAC is a good face to those efforts. CAT is another. REFEDS and eduGAIN communities are the other two stakeholders here. If we go down the direction I was talking about we should reach out to those latter two stakeholders to start talking about how the R&S specs are used, where they need to be updated, how to go about that and communicate that need. Having REFEDS, eduGAIN and the US eduroam community all aligned would be much more likely to succeed
- Brett: Like all of these points. We need to start looking at a communication plan to inform the US community. Also need to keep in communication with REFEDS, eduGAIN communities. If we see that the timeline for fixing this is going to drag on we need to make that clear to the US community.
- Nicole; Suggest ALberty and/or I reach out to the federation operators group detailing this issue, making it clear that it represents a challenge to eudoram, ask them what next steps should be. Then have private conversation with community members to gauge reception. Also need to reach out to REFEDS. And we need to identify who in the US is impacted, undertake communication campaign to reach out to them.
- Albert: What’s the impact here? Do we know how many are impacted?
- Rob: We’ve had some discussions around metrics, how to gauge impacts./
- MikeD: Would the users trying to log into CAT be documented in logs?
- Nicole; That’s challenging - the IdP thinks it did the right thing. The User just gets left at the SP with aa cryptic error message, is never reported back to the IdP.
- Rob: I'm happy for UNCG to be a guinea pig in whatever we come up with. We have CAT but also do eduroam onboarding through a commercial tool... we have an alternative way of accessing CAT (Google social) but also have an Incommon IdP to try out the fix on.
- Brett: The approach that Albert and Nicole put together sounds great. Also want to gauge urgency. From my perspective it’s urgent - there’s an operational and reputational risk here.
- Ann: Totally agree Brett. Secondarily there’s a federation risk/
- Nicole: I volunteer to lead outreach. My team has the ammunition needed to articulate a case for action. Want to be sure we communoicate the need for an immediate fix. Will also check in with the federation operators group and report back to the eAC
- Brett; WOuld like a list of CAT users in the US to begin communication
- Nicole: WOuld be tricky to generate that from the federation side
- MikeZ: I can generate a list of current CAT subscribers
- Nicole: That would help/
- Albert: I’d like to bring the TAC into this conversation as they’re well positioned to work with the US community on updating attribute practices. Would also be a good community touch point to keep us honest in our work. Would like to use CAT as a forcing function to drive positive change in the US, just want CAT to make allowances for existing
- Next steps: Albert will reach out to FOG. Nicole will set up doc to track impacted entities. MikeZ will generate list of current US CAT users, provide to Nicole and Albert
- Request from Internet2: Draft a letter from the community to provide to GEANT, REN-ISAC, other members of the international eduroam community
- Look at institutions asserting v1 R&S who are also using CAT and reach out to them
- Updating the eduroam Best Practices Guide (Brett/Mike)
- Several items have fallen out of date - time to review and revise?
- RP Testing Design Proposal (Margaret)
- Review and comment
- Brett: Appreciate this! Is there a timeline for the eAC to get in their feedback
- Mike Z: Two weeks seems good, but will yield to Margaret, Ann, Romy
- Romy: That makes sense from our end.
- Brett: That was what I was thinking. Sounds good.
- Margaret: Obviously if there are show stoppers or grave concerns we can adjust
- Brett: Sounds great. Asking committee members to have their comments in within two weeks
- Reminder of InCommon committee nominations, discussion of next steps for eAC
- Link to nomination page: https://incommon.org/news/bring-your-unique-expertise-to-incommon-advisory-committees/